Discover Hacks/Cracks News
Change My Password Again?
This article comes about because of a recent thread on the security-basics mailing list regarding password crackers. Akin to this topic are the passwords themselves. The average user has a mildly uncomplicated password; generally not even a combination of upper and lower case characters or even any numbers. The fact of the matter is that passwords are an important piece of the security puzzle. More times than not, the average user is the one that you are working for.
SysAdmins, if taking a look at your users password's are not a piece of your agenda, make it one. I am not saying that it must be done every day, but what easier way to break into a system than an easy to guess password.
My first suggestion would be to do a sanity check on your password file. Run a password cracker on the password file and see how many usernames are broken in the first 10 min, or even the first hour. Odds are someone more patient than you would like to have access to your network.
Another thing to keep in mind when looking at passwords is to never allow one of your users to use a 1337 version password. The problem is that they are based on dictionary words, with simple, common letter substitutions. In password cracking metrics, this is only one step up (common permutations) from a plain dictionary attack. Do not base your passwords on dictionary words, phonetic misspellings, names, slang, etc.
One idea suggested on the mailing list was to do a 'strings -8 /dev/urandom' and then pick something from the first screenful that you or your user can memorize. This is a random way of generating a password that even allows you to choose something easy for you.
Listed below are a few tools that can be used for password auditing. Run one of them against your password file and notify all the users whose passwords were figured out they need to use more complicated passwords.
Something else that may be worth your while is to look into password generators. They are many good freely available password generators. You should always use whichever method is best for you.
- L33t-5p34K G3n3r@t0r
- Java Password Generator
- hichac Generates Passwords and puts them into an apache .htaccess file.